Posted: Tue, 04/05/2022 - 5:41pm
Businesses have been at work since last week investigating whether their applications or third-party software products are vulnerable to Spring4Shell, a critical remote code execution (RCE) vulnerability impacting Spring Framework, one of the most popular development frameworks for Java applications. While exploitation attempts have already been observed in the wild, the rate at which developers are updating their Spring instances appears to be slow going.
According to Sonatype, the company that maintains Maven Central, the biggest repository of Java components and libraries, 80% of Spring downloads since March 31 when the flaw was confirmed have continued to be for vulnerable versions of the framework. Maven Central integrates with many development tools, so the data suggests that developers are not in a rush to upgrade their Spring instances.